Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 07:07
General
-
Target
753f4a2ba1718eaae4381a16c2ee8d48168190cd9c25d6f3c3ce428c9069468cN.exe
-
Size
205KB
-
MD5
53b3015772c17461d1ca8e6ed430ad90
-
SHA1
748ad69e2d062ee998dd785d87bb4838cf26b2f9
-
SHA256
753f4a2ba1718eaae4381a16c2ee8d48168190cd9c25d6f3c3ce428c9069468c
-
SHA512
8c749a391886d8ff2981671ba38a66733efdff22ae24e86398643627b19ef2c3d6ba5f1371d55a3c1ad0e161dcab683850b9ab7c14b8b1c84ef6bca5738c9f34
-
SSDEEP
6144:32KnlQq7HYVGyZ6YugQdjGG1wsKm6eBgdQbz:vlB7wGyXu1jGG1wsGeBg8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\753f4a2ba1718eaae4381a16c2ee8d48168190cd9c25d6f3c3ce428c9069468cN.exe"C:\Users\Admin\AppData\Local\Temp\753f4a2ba1718eaae4381a16c2ee8d48168190cd9c25d6f3c3ce428c9069468cN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe36⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe54⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe66⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe67⤵
-
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe68⤵
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe70⤵
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe71⤵
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe72⤵
-
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe73⤵
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe74⤵
-
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe76⤵
-
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe77⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe78⤵
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe79⤵
-
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe80⤵
-
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe81⤵
-
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe82⤵
-
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe83⤵
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe84⤵
-
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe85⤵
-
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe86⤵
-
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe87⤵
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe88⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe89⤵
-
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe90⤵
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe91⤵
-
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe92⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe93⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe94⤵
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe95⤵
-
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe96⤵
-
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe97⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe98⤵
-
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe99⤵
-
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe100⤵
-
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe101⤵
-
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe102⤵
-
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe104⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe105⤵
-
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe106⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe107⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe108⤵
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe109⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe110⤵
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe111⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe112⤵
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe113⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe114⤵
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe115⤵
-
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe116⤵
-
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe117⤵
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe118⤵
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe119⤵
-
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe120⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-